The following versions of Ferrous HTTP server are currently supported with security updates:
| Version | Supported | Notes |
|---|---|---|
| 0.1.x | ✅ | Current development version |
| < 0.1 | ❌ | Pre-release versions not supported |
Ferrous is built with security in mind using Rust's memory safety guarantees:
- Memory Safety: Zero buffer overflows, use-after-free, or null pointer dereferences
- Input Validation: All HTTP headers and request bodies are validated
- Request Size Limits: Configurable max body size prevents DoS attacks
- Timeout Protection: Connection and CGI timeouts prevent resource exhaustion
- Path Traversal Protection: File serving is restricted to configured directories
- No Crashes: Graceful error handling ensures server stability
- No TLS/SSL: Communications are unencrypted
- Single-threaded: Limited to one CPU core
- CGI Restrictions: Only Python (.py) scripts supported
- No Authentication: Except basic session management
- Development Focus: Designed for learning, not enterprise deployment
If you discover a security vulnerability in Ferrous, please report it responsibly:
- Email: [hamza.elazzouzi@example.com] (replace with your actual email)
- GitHub: Open a private security advisory at https://github.com/Hamza-El-Azzouzi/localserver/security/advisories/new
Please provide:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Your contact information
- Initial Response: Within 48 hours
- Status Update: Weekly updates on progress
- Resolution: Target 30 days for patches, depending on severity
If Accepted:
- We'll work on a fix and keep you updated
- Credit will be given in release notes (unless you prefer anonymity)
- Fix will be released as a patch version
- Security advisory will be published after fix
If Declined:
- We'll explain why it's not considered a vulnerability
- May still be tracked as an enhancement
- You're free to disclose responsibly
When using Ferrous:
- Run with Limited Privileges: Don't run as root
- Use Behind Reverse Proxy: Deploy behind Nginx/Apache for TLS
- Configure Firewalls: Restrict access to necessary ports
- Monitor Logs: Watch for suspicious activity
- Update Dependencies: Keep Rust and crates up to date
- Sanitize CGI Scripts: Validate all CGI script inputs
- Limit Upload Sizes: Configure appropriate
max_body_size - Review Configuration: Audit your config.yaml regularly
Last security review: January 2026
- Valgrind (memory leak detection)
- Rust Clippy (code quality)
- Manual code review
- Penetration testing with wrk/siege
- ✅ Zero memory leaks detected
- ✅ No crashes under stress testing
- ✅ Input validation working correctly
- ✅ Timeout mechanisms functioning
This project:
- Follows OWASP secure coding practices
- Uses Rust 2021 edition security features
- Implements input validation throughout
- Provides audit logging capabilities
Disclaimer: While we strive for security, this is an educational project. Use at your own risk in production environments. Consider enterprise-grade servers (Nginx, Apache) for mission-critical applications.